What would you do if the keys to your digital life were quietly copied and shipped to strangers? That question is no longer hypothetical. Infostealers — a breed of malware engineered to harvest passwords, cookies, cryptocurrency wallets and other sensitive data — have become a low-cost, high-yield weapon in modern cybercrime. At ISACA Europe 2025, cybersecurity consultant Tony Gee laid out pragmatic, technical defenses security teams can implement now. The imperative is straightforward: treat infostealers as an ongoing operational threat that requires layered, maintained defenses rather than a one-off nuisance.
Why infostealers work so well
Infostealers succeed because they exploit both technical and human weaknesses while being inexpensive and widely available. These tools are lightweight, modular and marketed on criminal forums with plug-and-play ease. Attackers need little skill to deploy them and can quickly customize modules for new targets. On the technical side, infostealers take advantage of unpatched endpoints, permissive browser settings, leaked secrets embedded in code, and insecure configurations. On the human side, reused passwords, phishing, and lax security habits make credential harvesting and reuse frighteningly effective.
Once harvested, credentials, session cookies and crypto keys can be monetized immediately: sold on dark markets, reused for account takeover, combined with other access to escalate privileges, or used for fraud. The downstream impacts include business email compromise, payroll fraud, cloud console intrusion and more — losses that translate directly into financial, regulatory and reputational damage.
infostealers: Must-have defenses
Tony Gee emphasized practical technical controls grouped into complementary categories. These defenses are actionable today and reduce both the probability and impact of infostealer intrusions.
– Reduce the attack surface: Keep endpoints and servers patched, enforce robust configuration management, restrict who can install privileged software, and implement application allowlisting to block unsigned or unexpected binaries from running.
– Harden credential storage and authentication: Use enterprise credential managers and secrets vaults. Where possible, require hardware-backed authentication such as FIDO2 security keys and enforce strong multi-factor authentication (MFA) across all critical systems. Monitor for MFA bypass attempts and anomalous authentication patterns.
– Enhance visibility and response: Deploy modern endpoint detection and response (EDR) with behavioral analytics tuned to spot credential-dumping, automated scraping of browser stores, or unusual file exfiltration. Centralize logging, enable rapid threat hunting, and streamline alert triage so incidents are detected and contained quickly.
– Contain and isolate compromise: Use browser isolation for risky browsing, privileged access workstations (PAWs) for sensitive tasks, and network segmentation to prevent a compromised user machine from freely accessing high-value systems.
– Data loss prevention (DLP) and secrets hygiene: Scan for and block exfiltration of key file types. Eliminate hard-coded credentials from code repositories, container images and CI/CD pipelines; use ephemeral secrets and automated rotation instead.
Practical challenges and trade-offs
Adoption of these measures is uneven. Small organizations may lack the budget or personnel to deploy and tune sophisticated EDR or manage hardened privileged environments. Large enterprises wrestle with legacy systems and the complexity of cloud-native infrastructures. Attackers continuously evolve, embedding evasion techniques that blunt signature-based detection and force defenders toward behavior-based telemetry and automation.
There are also real trade-offs. Heavy-handed restrictions can interrupt productivity and drive users toward unsanctioned workarounds. The cost of enterprise EDR, vault solutions and managed detection services can be prohibitive for many organizations. Law enforcement can disrupt crimeware supply chains, but cross-border takedowns are slow and incomplete. Given these constraints, a balanced, prioritized approach that layers defenses, focuses investment on highest-risk assets, and automates routine security operations delivers the best risk-adjusted outcomes.
Operationalizing defenses: governance and metrics
Technology alone is insufficient. A disciplined program requires clear ownership: who manages the credential vault, who configures allowlists, who triages EDR alerts. Measure what matters — mean time to detect (MTTD) and mean time to remediate (MTTR), percentage of sensitive tasks performed from hardened workstations, and the extent of secret sprawl in codebases. Regular audits, automated secret scanning in repositories, and continuous tuning of detection rules will keep defenses aligned with evolving threats.
Human factors and validation
Users remain both a primary defense and a persistent vulnerability. Training must be realistic and focused: show how phishing can lead to infostealer deployment, make secure tools easy and low-friction, and remove incentives to bypass controls. Complement education with proactive red-teaming and threat intelligence so defenses are tested against real-world tactics, techniques and procedures.
Conclusion: Treat infostealers as an enduring risk
Infostealers are not a passing trend; they are an efficient, scalable mechanism for criminals to monetize access. The remedy is not a single silver bullet but a sustained, technical program that hardens endpoints, secures credentials, improves detection and contains damage. Organizations must ask themselves a blunt question: can you accept the risk of leaving your digital keys accessible, or will you invest in the layered defenses necessary to keep them protected? Implementing prioritized, measurable, and user-friendly controls is the pragmatic path to reducing both the likelihood and impact of infostealer-driven breaches.




